There are 330 million connected cars in the world, and their number is rising fast. So is car-related cybercrime – up more than 600%, according to one recent report. How worried should fleet managers be? “The OEMs are the weakest link,” warns Mark Binks (pictured), Group Managing Director of Bynx, the UK-based global automotive and fleet management software provider.
From 2016 to 2019, the number of automotive cybersecurity incidents increased by 605%, says Upstream Security’s 2020 Automotive Cybersecurity Report.
The frequency of attacks is increasing – doubling just in the year from 2018 to 2019. Some other findings:
57% of the attacks were by criminals (for disruption, theft or ransom), 38% by researchers (as a warning, to test systems security).
The most common attack vectors were keyless entry systems (30%), followed by backend servers (27%) and mobile apps (10%).
The most frequently reported crimes were car break-ins and thefts (30%), loss of control over car systems (27%) and data and/or privacy breaches (23%).
In all, 82% of the attacks were initiated remotely – basically, they could have come from anywhere in the world.
However, the total number of publicly reported automotive cyber incidents is just 367 for the entire 2010s. So, is it all a storm in a teacup?
“There are vulnerabilities in all types of networks,” says Mark Binks, Group Managing Director of Bynx, the UK-based global automotive and fleet management software provider. “Just look at the recent cyberattack on Travelex.”
At the end of 2019, a ransomware attack forced that foreign exchange company to take all its systems offline; customer transactions had to be completed manually, with pen and paper. The company claimed not to have paid any ransom – $6 million according to the BBC, which said it had spoken to the hackers. It took about a month to recover fully from the attacks.
Bynx, as experts in translating the complexities of fleet management into easy-to-use tools for fleet managers, are well acquainted with both the risks and opportunities of increased connectivity.
“At any given time, there are people with bad intentions out there looking for the weakest links in online networks,” says Mr Binks. “My question with regard to the Travelex breach: Did they use best industry practices? If they didn’t, that would explain the success of the attack.”
Translate that to the fleet industry. Do fleet managers need to worry about best industry practices? Not necessarily: “If cars come, as they increasingly do, with in-built connectivity systems, the end responsibility for the cybersecurity of those vehicles rests with the OEMs. Of course, fleet managers need to be aware of the existing risks, and of the way the various OEMs deal with them. But they should not be held accountable.”
Of course, it’s a different story if you start equipping your fleet with third-party telematics. “Then the same rule applies as I mentioned earlier: look out for best industry practices. Make sure you’re not the weakest link.”
Rule of thumb
Will that rule of thumb still hold with the arrival of 5G? The new network standard, which will be implemented worldwide over the next few years, will dramatically increase bandwidth, resulting in an explosion of connectivity – also increasing the potential for online mischief. As connectivity becomes standard for cars, should we expect a wave of automotive cybercrime?
Nightmare scenarios for fleets, OEMs and/or public authorities include attacks like similar to the one on Travelex, disabling large numbers of vehicles until a ransom has been paid. Specifically for corporates, hacking vehicles as a means of industrial espionage may be a threat. But on balance, the advent of 5G will reduce rather than increase the risk of auto-related cybercrime, says Mr Binks.
“Yes, 5G will be a paradigm shift. But it will also enable better encryption. In that respect, IMSI – short for International Mobile Subscriber Identity – will be a game-changer. It enables so-called ‘handshakes’ between various devices, that will establish their identities beyond doubt. This will make it harder for hackers to get into networks. IMSI is entirely 5G compatible. The system allows for over-the-air security updates of any device. Major EV manufacturers are already using the technology.”
However, even if the future of connectivity holds less risk of automotive cybercrime instead of more, we’re not entirely out of the woods. “As I said, criminals will continue looking for the weakest link. And that will not be the individual connected car, nor your corporate fleet of connected cars, but connectivity at manufacturer level.”
“The OEMs will be the weakest link. If criminals want to strike it big, that is where they’ll try to do so. Will they be able to get into an OEM network and paralyse an entire model range, for example? If the OEM manages the connectivity for that entire range via one server, potentially yes.”